itlawwikiaorg-20200214-history
Vulnerability
Definitions Biometrics A vulnerability is Computer systems A computer or system vulnerability is General A vulnerability (also called a security weakness) is Overview The growing number of known vulnerabilities increases the number of potential attacks created by the hacker community. As vulnerabilities are discovered, attackers may attempt to exploit them. Attacks can be launched against specific targets or widely distributed through viruses and worms. Today, many vulnerabilities are easy to exploit, and individuals and organizations worldwide can access systems and networks connected to the Internet across geographic and national boundaries. Current technology also makes it easy to hide or disguise the origin and identity of the individuals or organizations that exploit these vulnerabilities. In addition, cyber security vulnerabilities are volatile; even as existing vulnerabilities are patched, new ones are discovered. Even when vulnerabilities are discovered and patched by security professionals prior to an attack, hackers are increasingly reverse-engineering patches in order to discover the vulnerabilities and develop attacks that exploit them. Hostile actors are deriving attacks from new patches with increasing speed, often launching attacks before these patches are widely tested and deployed to secure vulnerable systems. The result of these trends is a vicious cycle in which there is a constant need for new countermeasures. While the Internet receives the most attention in press coverage of cyber incidents, from a national security perspective the playing field for potential cyber attack operations is much broader. Sensitive information tends to be isolated from the Internet, but the various gateways that exist to facilitate the transfer of information from the outside into a closed network provide many openings for possible attack. Moreover, though substantial progress has been made in raising levels of awareness about cyber security across industry and government, securing critical infrastructures remains a significant national challenge. Many critical industries, previously isolated from Internet security problems because they used older mainframe computing systems and leased telephone lines in dedicated networks, are reaching the time when this legacy infrastructure is being retired. They are adopting modern networks using personal computers, workstations, and servers with mainstream operating systems, interconnected through local-area networks, and connected to the Internet. In addition, the telecommunications industry itself is going through a systemic transformation caused by deregulation, economic change, and technological evolution, which may also leave these networks more vulnerable to attack. Typical vulnerabilities Some of the vulnerabilities used by cyberattackers include:"Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities" 85 (William A. Owens, Kenneth W. Dam & Herbert S. Lin eds. 2009). * Software. Application or system software may have accidentally or deliberately introduced flaws whose use can subvert the intended purpose for which the software was designed. * Hardware. Vulnerabilities can also be found in hardware, including microprocessors, microcontrollers, circuit boards, power supplies, peripherals such as printers or scanners, storage devices, and communications equipment such as network cards. Tampering with such components may secretly alter the intended functionality of the component, or provide opportunities to introduce hostile software. * Seams between hardware and software. An example of such a seam might be the reprogrammable read-only memory of a computer (firmware) that can be improperly and clandestinely reprogrammed. * Communications channels. The communications channels between a system or network and the “outside” world can be used by an attacker in many ways. An attacker can pretend to be an “authorized” user of the channel, jam it and thus deny its use to the adversary, or eavesdrop on it to obtain information intended by the adversary to be confidential. * Configuration. Most systems provide a variety of configuration options that users can set, based on their own security versus convenience tradeoffs. Because convenience is often valued more than security, many systems are configured insecurely. * Users and operators. Authorized users and operators of a system or network can be tricked or blackmailed into doing the bidding of an attacker. Software vulnerabilities Software may have vulnerabilities due to buffer overflows and improper packet header handling. These flaws typically occur because the software is not validating critical information properly. For example, a short integer may be used as a table index without checking whether the parameter passed to the function exceeds 32,767, resulting in invalid memory accesses or crashing of the system. Exploitable software flaws typically result in two types of vulnerabilities: denial-of-service attacks or revelation of critical system parameters. A denial-of-service attack often can be implemented remotely, by passing packets with specially constructed headers that cause the software to fail. In some cases the system can be crashed, producing a memory dump in which an intruder can find IP addresses of critical system nodes, passwords, or other security-relevant information. In addition, buffer overflows that allow the introduction of malicious code may occur. References See also * Cross-site scripting vulnerability * Cyber vulnerabilities * Dangling vulnerability * Electromagnetic vulnerability * Hazard vulnerability * Physical vulnerability * Security vulnerability * Social vulnerability * Software vulnerability * SQL injection vulnerability * Vulnerability analysis * Vulnerability assessment * Vulnerability class * Vulnerability database * Vulnerability management * Vulnerability scanner * Zero-day vulnerability Category:Technology Category:Internet Category:Software Category:Security Category:Definition